2.6 Ensure transport layer security for 'basic authentication' is configured

Information

Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL, especially in cases where the site is publicly accessible and is recommended that SSL be configured and required for any Site or Application using Basic Authentication.

Credentials sent in clear text can be easily intercepted by malicious code or persons. Enforcing the use of Secure Sockets Layer will help mitigate the chances of hijacked credentials.

Solution

To Use Basic Authentication with SSL:
1. Open IIS Manager
2. In the Connections pane on the left, select the server to be configured
3. In the Connections pane, expand the server, then expand Sites and select the site to be configured
4. In the Actions pane, click Bindings; the Site Bindings dialog appears
5. If an HTTPS binding is available, click Close and see below 'To require SSL'
6. If no HTTPS binding is visible, perform the following steps

To add an HTTPS binding:
1. In the Site Bindings dialog, click Add; the Add Site Binding dialog appears
2. Under Type, select https
3. Under SSL certificate, select an SSL certificate
4. Click OK, then close

To require SSL:
1. In Features View, double-click SSL Settings
2. On the SSL Settings page, select Require SSL, and Require 128-bit SSL
3. In the Actions pane, click Apply

See Also

https://workbench.cisecurity.org/files/166

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c), CSCv6|16.13, CSCv6|16.14

Plugin: Windows

Control ID: f94f6d9fa85f126c4c8d49939e29bedc93d36e40d2c9784a03ce24868c040b6a